The Internal Audit Department provides a variety of information technology services to County departments and agencies including audits and reviews of:
General computer controls – security planning and management, access controls, application software development and change control, operating system software, segregation of duties, and service continuity.
Application controls – data input, processing, and output.
Application development – request, requirements, planning, design, development, and testing.
Additionally, we perform continuous auditing using CAATs (Computer Assisted Audit Techniques). We utilize a proprietary, state-of-the-art and industry recognized software product to help us analyze patterns and exceptions in the County's financial data.
IT Standards & Criteria
Criteria used in evaluating information technology applications and procedures is derived from:
FISCAM (Federal Information Systems Controls Audit Manual) by the GAO
Industry best practices
The Internal Audit Department has prepared an IT self-assessment form. We encourage County Departments' use of the form to help ensure an adequate control system exists in their IT environment. If you are with a County Department and would like to request a copy, please contact us at 714.834.5475.
Security & Compliance
As an employee of the County of Orange, you can help keep our technology infrastructure secure and compliant.
Activate the operating system screen saver password feature and lockout your workstation when leaving it unattended.
Do not open e-mails and attachments from senders you do not recognize.
Comply with software licensing for all applications and do not violate copyright laws (e.g., for software, music, video).
Use strong passwords for your user accounts and do not share passwords with anyone or write passwords down.
Do not include all or part of your user ID in your password.
Use at least seven characters in your password.
Use at least three of the following four groups: upper and lower case characters, numbers, and special characters (!,@,#,etc.).
IT managers and administrators should facilitate sound IT practices:
Enable virus scanning software on all workstations and servers and ensure software patches and virus updates are installed on a regular basis.
Assign access using the least privilege principle and only grant access on a need to know and right to know basis.
Ensure key applications have end-user and I/T support documentation.
Perform a risk analysis of I/T operations and be familiar with data sensitivity and impact of a security breach.
Update business continuity plans and ensure staff are familiar with disaster work-around procedures.
Document development, testing, and approval of all application changes.
Set operating and application security settings based upon the risks associated with the data you control.
Enforce password history, maximum & minimum password age, and minimum password length.
Set an appropriate account lockout duration & threshold and reset period.
Enable system event auditing and frequently review system logs.